DoD tackles mobile device authentication through several pilots

Jared Serbu reports.

The Defense Department says it's committed to a future in which service members
and civilians can use the latest and greatest mobile technology to get their work
done, regardless of the device manufacturer. But it's still struggling mightily
with one of the biggest challenges for mobility in the government: identity
management.

While the Pentagon thinks it's gone a long way toward making sure its security approval processes for
mobile devices, apps and infrastructure can keep up with the pace of commercial
technology, there's one enormous nut the department still hasn't cracked —
how to make sure DoD users can securely authenticate themselves on the network via
mobile devices, the same way they do today from desktop and laptop computers. On
those computers, users slide their common access cards (CaCs) into a smart card
reader in order to do multi-factor authentication.

Using that same method on a mobile device defeats the purpose of having a mobile
device.

"To date, the solutions have been Bluetooth or corded card readers that are very
difficult to use, they have separate power sources, they're not really in favor
with generals and senior executives," said Devon O'Brien, the lead mobile engineer
for public key infrastructure (PKI) at the Defense Information Systems Agency.
"The user experience is awful and because we're such a niche market, the cost per
device is awful. That's sort of what prompted the look for alternate credentials."

Those alternate credentials would be just as trusted by DoD networks as the PKI
certificates that are currently stored on common access cards. But they would have
to be different credentials, since the card isn't actually attached to the device.
The National Institute of Standards and Technology is finalizing a new special
publication (SP 800-157) that describes what are called "derived credentials" and
how they can be used securely.

Waiting on OMB

Greg Youst, the chief mobility engineer at DISA, said DoD is waiting for that
special publication from NIST, but also for some final decisions from the Office
of Management and Budget about how derived credentials can be used.

"Because the issue is, we need to define separation," he told a small audience at
a mobile technology symposium hosted by AFCEA DC in Vienna, Va., on Friday. "One
of the requirements from OMB says that the certificate has to be separate from the
device it's authenticating in."

And OMB's decisions could make or break some of the potential solutions DoD is
exploring for mobile two-factor authentication. For instance, one idea might be to
place those derived credentials on a microSD card that's inserted into the phone.
Another might be to put the certificates onto the same SIM card that a commercial
smartphone uses to identify itself to the commercial cellular network it runs on.

"Here's the debate. Is a microSD separate? I can take it out and put it back in.
What about a SIM chip? I can take it out, but now the phone doesn't work," he
said. "There's still policy stuff that's being worked out at the federal level on
how we're going to approach mobility and PKI, and this is a very complicated
field."

But DoD says it does have some specific requirements that are going to govern how
it handles ID management in the mobile realm: whatever solutions it settles on are
going to have to integrate seamlessly with the Defense Enrollment Eligibility
Reporting System (DEERS), the massive and expensive centralized infrastructure the
Defense Manpower Data Center already operates to manage the identities of 42
million service members, civilians, contractors, retirees and dependents.

Beyond the derived credential options that use technologies such as microSD and
SIM cards, the department is also exploring technologies that would let users hold
their actual CaC cards up to their phones and authenticate via near-field
communication, a technology already built into many smartphones.

"The challenge there is because of the policies around federal PIV cards, which
have a whole lot of esoteric nonsense that we have to plow through," said Michael
Butler, DMDC's deputy director for identity services. "But we've made it work. My
guys actually built an email client, you can sign, you can encrypt and it's
certainly a better user experience than the [external card reader]. We've worked
with Google, Samsung, a number of different folks, and we're working on an NSA
assessment. It's really pretty simple technically, it's really making all the
standards work and getting all the standards folks to agree with it that's the
hard part."